The following is an excerpt from the book, The New School of Information Security
. In this section of Chapter 7: Life in the New School (.pdf), authors Adam Shostack and Andrew Stewart explain why a fresh and innovative way of thinking is the only way to truly address today's information security challenges.
The Use and Abuse of Language
A great many of the words we use when discussing security,
including trust, threat, risk, safety, privacy, and security, can
have multiple meanings. Each is evocative and carries with it
cultural baggage. We often find ourselves talking past each
other because of the inexact nature of these terms. This is not
an argument for prescriptivism in language. Languages are
successful when and because they are vibrant means of communication.
If we can think and speak clearly, we can do so in
spite of imprecise terms. If we can't think clearly, having precisely
defined terms won't help us.
 |
|
|
|
|
Describing a product as "secure" reinforces the fallacy that security is somehow a binary value... That kind of black-and-white distinction works with, say, pregnancy, but not for security.
, | | | | | | | | |
|
Language can be abused, and it is abused. Chapter 2 discussed
some of the sales tactics used within the commercial
information security industry. Describing a product as "secure"
reinforces the fallacy that security is somehow a binary
value—that something can be either "secure" or not. That kind
of black-and-white distinction works with, say, pregnancy, but
not for security. Without active intervention, the security of a
computer system degrades over time. This happens because
new vulnerabilities emerge that can affect it, and because of a
process akin to natural decay in which operational changes
become security issues. Something that is "secure" can at the
most only be said to be "secure right now." What is "secure"
today is unlikely to be "secure" tomorrow. Another example is
referring to certain security architectures as having an
"assured" security model. In fact, no security can unequivocally
be "assured." In cryptography, a debate is raging over the
use of the term "proven," for much the same reasons.
Some security practitioners understand that when they
refer to something as "secure," they are implicitly including an
unstated corollary of "...depending on this, that, and the other
thing." Trying to define this, that, and the other thing—the
external factors on which the security depends—is a game of
infinite regression. The term "secure" might be seen as a simplification
to cope with the situation's inherent complexity. This abstraction makes it easier for people to function practically
in their jobs, but not everyone understands that subtlety.
The preceding section discussed the challenge of making a system
"secure and usable." We spent quite some time discussing
a way to say this without using the word "secure." In the end,
we decided to hope that you would see it as an example of a
place where "secure" is easier to say, while glossing over underlying
complexity.
Security companies often invent new terms for things.
"Pharming" is a name for attacks against the Domain Name
System. The meaning of "pharming" is not obvious. That
makes it a poor name. The same criticism can be leveled
against other terms within security, such as "pretexting." This
was the technique used to illegally collect information about
the Hewlett-Packard board of directors in 2006. Pretexting is
actually "social engineering," which is just another word for
lying.
Arguments about terminology have been unresolved for
many years, and we will not solve them here. Attempts to create
strictly defined vocabulary within information security are
likely doomed to failure as long as English remains a living
language.
Reproduced from the book The New School of Information Security
Copyright [2008], Addison Wesley Professional. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other users.
29 May 2008
